Comprehensive Veterans' Data Protection and Identity Theft Prevention Act of 2006 - Places upon the Secretary of Veterans Affairs an affirmative obligation to protect from any data breach the sensitive personal information of veterans and any other individuals that the Department of Veterans Affairs possesses, creates, or maintains, as well as information or tools (including passwords and encryption keys) used to protect the integrity of such data.
Requires the Secretary to: (1) implement and maintain reasonable security policies and procedures to protect such information; and (2) prescribe policies and procedures regarding employee and third party access to, and use of, such information which the Department receives, maintains, or transmits.
Directs the Secretary, upon discovery of a data breach, to: (1) notify the United States Secret Service, the Department's Inspector General, the congressional veterans' committees, and the Federal Trade Commission (FTC); (2) notify each individual whose information was acquired or accessed by an unauthorized person; and (3) place a conspicuous notice on the Department's Internet website.
Requires the Secretary, upon request of an affected individual, to: (1) include a fraud alert in the file of the individual with each nationwide consumer reporting agency; (2) apply a security freeze to the file of such individual; and (3) provide free damage mitigation services, including credit monitoring and annual copies of consumer credit reports.
Establishes within the Department an Ombudsman for Data Security.
[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5588 Introduced in House (IH)]
109th CONGRESS
2d Session
H. R. 5588
To require the Secretary of Veterans Affairs to protect sensitive
personal information of veterans, to ensure that veterans are
appropriately notified of any breach of data security with respect to
such information, to provide free credit monitoring and credit reports
for veterans and others affected by any such breach of data security,
and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 12, 2006
Mr. Salazar (for himself and Mr. Evans) introduced the following bill;
which was referred to the Committee on Veterans' Affairs
_______________________________________________________________________
A BILL
To require the Secretary of Veterans Affairs to protect sensitive
personal information of veterans, to ensure that veterans are
appropriately notified of any breach of data security with respect to
such information, to provide free credit monitoring and credit reports
for veterans and others affected by any such breach of data security,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Comprehensive Veterans' Data
Protection and Identity Theft Prevention Act of 2006''.
SEC. 2. DEFINITIONS.
For purposes of this Act, the following definitions shall apply:
(1) Data breach.--The term ``data breach'' means the
unauthorized acquisition or use of data in electronic or
printed form containing sensitive personal information,
including information compromised with respect to the theft of
data first publicly reported on May 22, 2006.
(2) Data in electronic form.--The term ``data in electronic
form'' means any data stored electronically or digitally on any
computer system or database and includes recordable tapes and
other mass storage devices.
(3) Department.--The term ``Department'' means the
Department of Veterans Affairs.
(4) Encryption.--The term ``encryption'' means the
protection of data in electronic form in storage or transit
using an encryption technology that has been adopted by an
established standards setting body which renders such data
indecipherable in the absence of associated cryptographic keys
necessary to enable decryption of such data, together with
appropriate management and safeguards of such keys to protect
the integrity of the encryption.
(5) Nationwide consumer reporting agency.--The term
``nationwide consumer reporting agency'' means a consumer
reporting agency described in section 603(p) of the Fair Credit
Reporting Act.
(6) Secretary.--The term ``Secretary'' means the Secretary
of Veterans Affairs.
(7) Sensitive personal information.--The term ``sensitive
personal information'' means the name, address, or telephone
number of a veteran or other individual, in combination with
any of the following:
(A) Social Security number.
(B) Any information not available as part of the
public record regarding the veteran or other
individual's military service or health.
(C) Any financial account or other financial
information relating to the veteran or other person.
SEC. 3. PROTECTION OF SENSITIVE PERSONAL INFORMATION OF VETERANS.
(a) Affirmative Obligation.--The Secretary shall have an
affirmative obligation to protect from any data breach the sensitive
personal information of veterans and any other individuals that the
Department (or any third-party entity acting on behalf of the
Department) possesses, creates, or maintains as well as any information
or tools, including passwords or cryptographic keys used to protect the
integrity of encrypted data, used to access sensitive personal
information maintained independently by others.
(b) Security Policies and Procedures.--The Secretary shall
implement and maintain reasonable policies and procedures to protect
the security and confidentiality of sensitive personal information
relating to any veteran or other individual that is maintained,
serviced, or communicated by or on behalf of the Department against any
unauthorized access.
(c) Policies and Procedures Regarding Access and Use.--The
Secretary, by regulation, shall prescribe policies and procedures
regarding employee and third party access to, and use of, sensitive
personal information as well as the protection of such sensitive
personal information, which the Department receives, maintains, or
transmits. Such policies and procedures shall be issued before the end
of the 90-day period beginning on the date of the enactment of this
Act.
(d) System Restoration Requirements.--If the Secretary determines
that a data breach has occurred, is likely to have occurred, or is
unavoidable, the Secretary shall take prompt and reasonable measures
to--
(1) repair the breach and restore the security and
confidentiality of the sensitive personal information involved
to limit further unauthorized misuse of such information; and
(2) restore the integrity of the data security safeguards
of the Department and make appropriate improvements to the data
security, and the access and use, policies and procedures
issued under subsections (b) and (c).
(e) Third Party Duties.--
(1) Coordinated investigation.--Whenever any third party
handling sensitive personal information for or on behalf of the
Department determines that a data breach has occurred, is
likely to have occurred, or is unavoidable, with respect to
such information, the third party shall--
(A) promptly notify the Department of such
determination;
(B) conduct a coordinated investigation with the
Department to determine the full scope of any such data
breach; and
(C) ensure that the appropriate notices are
provided as required under section 4 of this Act.
(2) Contractual obligation required.--The Secretary shall
not provide sensitive personal information to a third party
unless such third party agrees to fulfill the obligations
imposed by sections 4, 5, and 6 of this Act.
(3) Liability for costs.--Except as otherwise established
by written agreements between the Department and any third
party, a third party that suffers a data breach shall be
responsible for all costs associated with complying with this
Act, as well as other costs related to such a breach, including
any damages relating to such a breach.
SEC. 4. NOTIFICATION OF DATA BREACH.
(a) Notification.--Upon discovery of a data breach, the Secretary
shall--
(1) notify the United States Secret Service, the Inspector
General for the Department of Veterans Affairs, the Committees
on Veterans' Affairs of the Senate and the House of
Representatives, and the Federal Trade Commission that a data
breach has occurred and the extent of such a breach;
(2) notify each individual whose personal information was
acquired or accessed by an unauthorized person as a result of
such a data breach; and
(3) place a conspicuous notice on the Department's Internet
website, which shall include a telephone number that the
individual may use, at no cost to such individual, to contact
the Department to inquire about the data breach or the
information the Department maintained about that individual.
(b) Timeliness of Notification.--All notifications required under
subsection (a) shall be made as promptly as possible and without
unreasonable delay following the discovery of a data breach and the
implementation of any measures necessary to determine the scope of the
breach, prevent any further breach or unauthorized disclosures, and
reasonably restore the integrity of the data system.
(c) Method and Content of Notification.--
(1) Method of notification.--The Secretary shall provide
written notification to individuals under subsection (a)(2).
(2) Content of notification.--Such written notification
provided to an individual under paragraph (1) shall include--
(A) a description of the personal information that
was acquired by an unauthorized person;
(B) a telephone number that the individual may use,
at no cost to such individual, to contact the Ombudsman
for Data Security in the Department to inquire about
the security breach or the information about that
individual that the person acquired or accessed, as
well as to obtain assistance in addressing identity
theft issues;
(C) the toll-free contact telephone numbers and
addresses for the major credit reporting agencies;
(D) a toll-free telephone number and Internet
website address for the Federal Trade Commission
whereby the individual may obtain information regarding
identity theft; and
(E) information regarding the right of an
individual, at no cost to that individual, to place a
fraud alert, obtain a security freeze, and receive
credit monitoring where applicable, including
information clearly describing the advantages and
disadvantages of these actions.
(d) Website Notice of Federal Trade Commission.--The Federal Trade
Commission shall place, in a clear and conspicuous location on its
Internet website, a notice of any breach of security that is reported
to the Commission under subsection (a)(1).
SEC. 5. FRAUD ALERTS.
(a) Inclusion in Consumer Files.--The Secretary shall arrange, upon
the request of a veteran or other individual affected by a data breach
and at no cost to the veteran or other individual, to include a fraud
alert in the file of that veteran or other individual with each
nationwide consumer reporting agencies in the manner provided under
section 605A(a) for a period of not less than 1 year, beginning on the
date of such request, unless the veteran or other individual requests
that such fraud alert be removed before the end of such period, and the
agency has received appropriate proof of the identity of the requestor
for such purpose.
(b) Distribution.--Each nationwide consumer reporting agency
referred to in subsection (a) shall also provide the alert required
under such subsection in the file of a veteran or other individual
along with any credit score generated in using that file, for a period
of not less than 1 year, beginning on the date of such request, unless
the veteran or other individual requests that such fraud alert be
removed before the end of such period, and the agency has received
appropriate proof of the identity of the requestor for such purpose.
SEC. 6. CREDIT SECURITY FREEZE.
(a) In General.--The Secretary shall arrange, upon the request of a
veteran or other individual affected by a data breach and at no cost to
the veteran or other individual, to apply a security freeze to the file
of that veteran or other individual with each nationwide consumer
reporting agency for a period of not less than 1 year, beginning on the
date of such request, unless the veteran or other individual requests
that such security freeze be removed before the end of such period, and
the agency has received appropriate proof of the identity of the
requestor for such purpose.
(b) Confirmation and Pin Numbers.--The agency shall send a written
confirmation of the security freeze to the veteran or other individual
within 5 business days of placing the freeze. The agency shall refer
the information regarding the security freeze to other consumer
reporting agencies. The agency shall provide the veteran or other
individual with a unique personal identification number or password to
be used by the veteran or other individual when providing authorization
for the release of his or her credit for a specific party or period of
time.
(c) Temporary Lift of Freeze.--The agency that receives a request
from a veteran or other individual to temporarily lift a freeze on a
consumer report shall comply with the request no later than 3 business
days after receiving the request. Such request shall be specific as to
the period to which the temporary lift of a freeze shall apply.
(d) Negotiating Authority.--The Secretary shall have broad
authority to negotiate and secure the best possible price for services
provided under this section. All reasonable costs shall be borne by the
Secretary.
SEC. 7. AUTHORITY TO PROVIDE MITIGATION SERVICES TO VICTIMS OF DATA
SECURITY BREACHES.
(a) In General.--The Secretary shall provide, free of charge, to
each individual whose personal information is (or was before the date
of enactment of this Act) compromised by a data breach at the
Department of Veterans Affairs--
(1) credit monitoring services, during a 1-year period
beginning on the date of enactment of this Act; and
(2) a copy of the consumer report (as defined in section
603 of the Fair Credit Reporting Act) of the affected
individual once annually during the 2-year period beginning on
the date on which the credit monitoring services required by
paragraph (1) terminate, which shall be in addition to any
other consumer report provided to the individual under
otherwise applicable law, free of charge or otherwise.
(b) Negotiating Authority.--The Secretary of Veterans Affairs shall
have broad authority to negotiate and secure the best possible price
for services provided under this section.
SEC. 8. OMBUDSMAN.
(a) Establishment.--The Secretary shall establish the position of
an Ombudsman for Data Security within the Department.
(b) Duties.--The Ombudsman for Data Security shall--
(1) provide information and assistance to veterans or other
individuals affected by data breaches, including providing
information and assistance on identity theft and issues
relating to identity theft;
(2) assist veterans or other individuals affected by a data
breach with placing fraud alerts and security freezes;
(3) provide veterans with ongoing education on general
financial matters and identity theft in particular; and
(4) carry out such other duties and responsibilities as the
Secretary may designate to the Ombudsman for Data Security.
<all>
Introduced in House
Introduced in House
Referred to the House Committee on Veterans' Affairs.
Sponsor introductory remarks on measure. (CR H3803)
Executive Comment Requested from Veterans' Affairs.
Unfavorable Executive Comment Received from Veterans' Affairs.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line